Event ID 6000 — Private Channel Configuration

Updated: December 6, 2007

Applies To: Windows Server 2008

Each event channel has configuration settings, such as the maximum size of the log and the custom security descriptor specified by the administrator for the log. The events that refer to the maximum size of the log serve as indicators for how the service dealt with the log when it reached its maximum size. The operation of the service is not affected, but an event can indicate to the administrator the configuration setting that might require a change.

Events that report problems with an event log security descriptor are more significant. They can indicate that the desired security settings are not be set correctly and the channel is more or less accessible than intended by the administrator.

Event Details

Product:

Windows Operating System

ID:

6000

Source:

Microsoft-Windows-Eventlog

Version:

6.0

Symbolic Name:

EVENT_LOG_FULL

Message:

The %1 log file is full.

Resolve

Update settings to handle the log full condition

Event 6000 indicates that the maximum capacity for an event log has been reached. The configuration settings for an event log include a setting that indicates how the Event Log service automatically handles the full log. This configuration setting can be found by right-clicking the log in the Event Viewer and selecting Properties.

1. If the property is set to Overwrite events as required (retention is set to false on the command line), the log automatically recovers from the log full condition by overwriting oldest events with new events.

2. If the log is set to Archive the log when full, do not overwrite events (retention is set to true, autoBackup is set to true from the command line), the log automatically recovers from the log full condition by copying the full log into a new file with a name based on the date that the copy was made, and a new empty log file is started.

3. If the log is set to Do not overwrite events (retention is set to true, autoBackup is set to false from the command line), the log must be manually cleared. This can be done by right-clicking the log entry in the Event Viewer and selecting Clear Log , or by running the following command from an elevated command prompt with logName replaced with the name specified in the event 6000:

wevtutil cl logName

Verify

To verify that the log full condition (event 6000) is cleared, use the Event Viewer to read the System log of the local computer and look for the latest event 6000. This event must be followed by events 105 or 104 to indicate that the condition is cleared and that the log is accepting events.

In order to verify that the bad SDDL condition (event 21) is cleared, use the Event Viewer to read the System log of the local computer after the computer has been restarted and verify that event 21 did not appear in the System log after the system was restarted.